WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Cellular traffic when idle

0 votes
429 views 1 comments
by anonymous

I found similar questions here, but not really a comprehensive answer. My setup is a client connected to the LAN1 interface and an IoT SIM card for Internet access.

To minimize traffic when the router is "idle" (meaning that there is no traffic from the clients), I did the following:

Disable MultiWan

Network - WAN: Check Mobile (WAN) as Main WAN, uncheck everything else. This disables MultiWan, which creates traffic by sending regular ICMP packets to check link availability

Disable RMS

System - Administration - RMS: Set Connection Type to “Disabled”. Otherwise the router will try to connect to the RMS host

I still did see some cellular traffic. I then enabled the "Block_DNS_forwarding" traffic rule in the firewall settings, but still would see some DNS traffic originating from the WAN IP of the router to the DNS servers provided by the mobile operator. Once I changed the DNS on the client to an unused IP, this traffic would also disappear.

So here is my question: What firewall rule would I have to create to prevent DNS traffic like described above (DNS Forwarding)? I tried a few things, but none of it would prevent that traffic. The workaround with the invalid DNS setting on the client is fine, but I'd really like to solve this on the router.

1 Answer

0 votes
by anonymous

Hi,

The rule you mentioned blocks DNS forwarding, not DNS output. If your LAN client would be using a custom DNS server (e.g., 8.8.8.8, 1.1.1.1), the router would not forward DNS requests to that server (or any DNS server for that matter) when this rule is enabled. However, if you're using automatic settings on your LAN1 client (using the router as its DNS server), enabling the rule does nothing to block DNS traffic.

To block DNS traffic you would have to block DNS requests in the firewall's OUTPUT chain. Easiest way to do this is from the Network → Firewall → Custom Rules page. Simply go to the page and copy/paste this command into the Custom Rules box:

  • iptables -I zone_wan_output -p udp -m udp --dport 53 -j zone_wan_dest_REJECT

This will prevent the router from communicating with external DNS servers, thus effectively preventing DNS traffic on the mobile interface. However, your client would still be able to access DNS servers if set manually. To block this, simply enable the Block_DNS_forwarding rule.

Good luck,

DM

Best answer
by anonymous
@Dziugas Thanks a lot, this worked nicely. I do have a follow-up question though:

Can the DNS output be blocked only with a custom rule, not via the web interface?

And I don't understand by which rule in the default config of the RUT955 the LAN client gets WAN access. In General Settings Foward is set to Reject (which then is the default, unless allowed by a specific rule). In Traffic Rules I can't find a rule that does that (mostly DHCP related stuff enabled by default).

Can you please explain?